1. Technical Field
The present invention relates generally to an apparatus and method for improving the detection performance of an intrusion detection system and, more particularly, to an apparatus and method that can exactly detect snort-based intrusion detection rules applied to a network intrusion detection system and can reduce the false positive rate of existing intrusion detection rules.
2. Description of the Related Art
Generally, as numerals in detection rules increase, the detection rate of attacks may increase. However, this results in the deterioration of systematic performance, such as the number of detection rules, detection time, and storage space, and the deterioration of efficiency of security control tasks, such as a long analysis time required by an analyzer to analyze detection events.
In order to improve the true positive rate of detection rules, a commercial system optimizes detection rules depending on its own optimization scheme and maintains the detection rules at a constant level. In this case, a scheme for eliminating the oldest detection rule or a detection rule having a low detection rate and applying a new detection rule if the constant level of detection rules is exceeded, or a scheme for reflecting the results of analysis depending on the ability of an analysis team is utilized.
However, in security control tasks, if detection events of several gigabytes are accumulated per day, and an analyzer analyzes the detection events, a long analysis time is required, thus deteriorating task efficiency.
Accordingly, in order to reduce the false positive rate of detection rules, technical optimization methods have been used. However, since such a method merely analyzes and improves only the detection rules, various interference factors in a network environment cannot be reflected.
Therefore, a starting point for improvement of detection efficiency is to create detection rules so that true positives can be precisely determined using the detection rules of traffic identified by a firewall, an intrusion detection system (IDS), and an intrusion detection sensor, and thus to improve the true positive rate.
In the past, upon creating the detection rules of a snort-based intrusion detection system, the detection rules were classified into IP-based detection rules and packet payload-based pattern detection rules, and then created.
In particular, pattern detection rules are created based on specific patterns appearing on a packet payload by analyzing malicious code and attack techniques that may occur in network-based intrusion behavior. However, upon creating pattern detection rules, various types of detection rule patterns may be generated depending on the results of analysis by detection rule creators. Further, due to the diversity of packet payloads, more false positives (or higher false detection) than those of IP-based detection rules may occur.
Furthermore, after the detection rules have been created, they are immediately applied to an intrusion detection system in operation in the state in which the detection rules are used to merely determine whether an intrusion has been detected and in which a process required for supplementing the degree of completion of detection rules is not yet applied, thus making it difficult to apply the improvement of the true positive rate of intrusion detection rules and the supplementation of the false positive rate for a predetermined period of time. Further, in the case of intrusion false positive events occurring for that period of time, an analyzer analyzes the events one by one and determines whether true positives or false positives have occurred, and thus there is a limitation in improving the efficiency of intrusion detection tasks. In particular, a large number of intrusion false positive events occurring due to detection rules including errors may become the major cause of the deterioration of efficiency when performing security control tasks.
As related preceding technology, Korean Patent Application Publication No. 10-2011-0098269 (entitled “Intrusion detection method using pattern searching”) discloses technology for defining the patterns of known attack techniques or malicious codes as forbidden character strings and then efficiently determining whether a forbidden character string is included in a given input character string.
The invention disclosed in Korean Patent Application Publication No. 10-2011-0098269 defines the patterns of known attack techniques or malicious codes as forbidden character strings, and configures the defined forbidden character strings as a generalized suffix tree, thus efficiently determining whether a given input character string on a network includes a forbidden character string.
However, the above-described invention disclosed in Korean Patent Application Publication No. 10-2011-0098269 is merely intended to configure partial character strings of a forbidden character string set as a generalized suffix tree, and thus to rapidly detect whether a forbidden character string is included in a given input character string on the network.